libio: Avoid ptrdiff_t overflow in IO_validate_vtable

If the candidate pointer is sufficiently far away from __start___libc_IO_vtables, the result might not fit into ptrdiff_t.
2018-06-20 09:45:19 +02:00 · 2018-06-20 09:45:19 +02:00 · 2d1c89a5d7
parent 646c2833ee
commit 2d1c89a5d7
2 changed files with 6 additions and 2 deletions
--- a/4
+++ b/4
@ -1,3 +1,7 @@
+2018-06-20  Florian Weimer  <fweimer@redhat.com>
+
+	* libio/libioP.h (IO_validate_vtable): Avoid ptrdiff_t overflow.
+
 2018-06-19  Joseph Myers  <joseph@codesourcery.com>

 	[BZ #23280]
--- a/libio/libioP.h
+++ b/libio/libioP.h
@ -830,8 +830,8 @@ IO_validate_vtable (const struct _IO_jump_t *vtable)
  /* Fast path: The vtable pointer is within the __libc_IO_vtables
     section.  */
  uintptr_t section_length = __stop___libc_IO_vtables - __start___libc_IO_vtables;
-  const char *ptr = (const char *) vtable;
-  uintptr_t offset = ptr - __start___libc_IO_vtables;
+  uintptr_t ptr = (uintptr_t) vtable;
+  uintptr_t offset = ptr - (uintptr_t) __start___libc_IO_vtables;
  if (__glibc_unlikely (offset >= section_length))
    /* The vtable pointer is not in the expected section.  Use the
       slow path, which will terminate the process if necessary.  */